Skip to main content

ETSI EN 303 645 – Consumer IoT Security

1. Why EN 303 645 matters now

ETSI EN 303 645 is the globally-recognized baseline standard for the security of consumer-facing "Internet of Things" (IoT) devices. It establishes a practical, risk-based set of 13 high-level security provisions and additional data protection provisions that manufacturers can implement to protect their products against common cybersecurity threats.

While it began as a European standard, its straightforward, outcome-focused approach has led to its adoption as the foundation for IoT security regulations and certification schemes worldwide, including in the UK, Singapore, and Australia. For companies selling consumer IoT products globally, complying with EN 303 645 is the single most effective step towards meeting multiple international requirements.

Official Texts & Guidance
  • ETSI EN 303 645 (V3.1.3): Download from ETSI website. The core standard defining the security and data protection provisions. This is the legally significant text.
  • ETSI TS 103 701: Conformance Assessment Specification. This document defines the mandatory test cases for verifying that each provision in the standard has been met. It is used by test labs for conformity assessment.
  • ETSI TR 103 621: Implementation Guide. This technical report provides non-exhaustive examples and guidance for implementing the standard's provisions. It is a helpful resource but not legally binding.

Timeline of Key Dates

DateEventReference
2020-06-12First version (V2.1.1) published.ETSI EN 303 645 V2.1.1
2024-09-11Current version (V3.1.3) adopted by ETSI.EN 303 645 Foreword
2024-12-31Latest date for announcement of the EN at national level.EN 303 645 Foreword
2025-06-30Date of publication for new National Standards endorsing the EN, and withdrawal of any conflicting national standards.EN 303 645 Foreword
2025-08-01RED Delegated Act becomes mandatory; compliance with a future harmonised version of EN 303 645 will likely provide presumption of conformity.RED Delegated Act

Relationship to EU law

LawHow it interacts with EN 303 645
Radio Equipment Directive (RED)EN 303 645 is the primary candidate to become the harmonised standard for demonstrating compliance with the cybersecurity requirements of the RED Delegated Act (EU) 2022/30. Manufacturers who follow this standard will likely gain a "presumption of conformity" with the RED's essential requirements for network protection, privacy, and fraud prevention when the deadline arrives on 1 August 2025.
Cyber-Resilience Act (CRA)The CRA's essential security requirements in Annex I are heavily based on the principles in EN 303 645. It is expected that a future version of this standard (or a new standard based on it) will become a harmonised standard for the CRA. For manufacturers of "Default" category consumer products, compliance with EN 303 645 is an excellent way to prepare for future CRA obligations.

2. Scope

The standard applies to consumer IoT devices, which are defined as network-connected devices intended for consumer use. This includes devices that are directly connected to the internet or to a home network. The scope is broad and technology-neutral, focusing on the security outcomes rather than specific implementations (EN 303 645 § 1).

The standard also explicitly includes the associated services required for the device's functionality, such as mobile applications and cloud back-end services that are designed and developed by or under the responsibility of the manufacturer.

A non-exhaustive list of in-scope products includes (EN 303 645 § 1):

  • Connected children's toys and baby monitors
  • Connected smoke detectors, door locks, and window sensors
  • IoT gateways, base stations, and hubs
  • Smart cameras, smart speakers, and smart TVs
  • Wearable health and fitness trackers
  • Connected home automation and alarm systems
  • Connected appliances (e.g., washing machines, refrigerators)
  • Smart home assistants

The standard is intended to establish a baseline level of security. It does not cover more advanced attacks that are prolonged, sophisticated, or require sustained physical access to the device.

3. Requirements & How to Implement Them

The standard's security obligations are detailed in Section 5 (Cyber security provisions) and Section 6 (Data protection provisions). These provisions are outcome-focused, giving manufacturers the flexibility to choose the most appropriate technical solutions for their products.

The following tables translate those provisions into a practical engineering checklist. Each row links to the relevant implementation guide in this handbook, providing a clear, actionable path from the standard's text to the code and configuration required for compliance.

3.1 Cybersecurity Provisions (Section 5)

ObligationEngineering TasksImplementation Guides
No universal default passwords
EN 303 645 § 5.1-1
TS 103 701 § 5.1
TR 103 621 § 6.1
All device passwords must be unique per device or defined by the user. Brute-force attack mitigations must be implemented.Unique Device Identity
Secure Configuration
Implement vulnerability disclosure policy
EN 303 645 § 5.2-1
TS 103 701 § 5.2
TR 103 621 § 6.6
Make a public vulnerability disclosure policy available and act on disclosed vulnerabilities in a timely manner.Vulnerability Disclosure
Keep software updated
EN 303 645 § 5.3-2
TS 103 701 § 5.3
TR 103 621 § 6.10
Provide a secure update mechanism for all non-immutable software components. The defined support period must be published.Secure OTA Updates
Patch Cadence
Securely store sensitive security parameters
EN 303 645 § 5.4-1
TS 103 701 § 5.4
TR 103 621 § 6.25
Store cryptographic keys and other sensitive parameters securely, using hardware-backed storage where appropriate. Do not hard-code credentials in software.Key Provisioning & Storage
Communicate securely
EN 303 645 § 5.5-1
TS 103 701 § 5.5
TR 103 621 § 6.29
Use best practice cryptography to protect data in transit. Authenticate all external network connections where appropriate.Key Provisioning & Storage
Minimize exposed attack surfaces
EN 303 645 § 5.6-1
TS 103 701 § 5.6
TR 103 621 § 6.37
Disable unused logical and physical interfaces. Run processes with the least privilege necessary.Secure Configuration & Hardening
Ensure software integrity
EN 303 645 § 5.7-1
TS 103 701 § 5.7
TR 103 621 § 6.46
Use a secure boot mechanism to verify the integrity of the device's software.Secure Boot
Ensure personal data is secure
EN 303 645 § 5.8-2
TS 103 701 § 5.8
TR 103 621 § 6.49
Protect the confidentiality of any sensitive personal data transmitted from the device to associated services using best practice cryptography.Data Privacy & Secure Deletion
Make systems resilient to outages
EN 303 645 § 5.9-2
TS 103 701 § 5.9
TR 103 621 § 6.52
Ensure the device remains functional locally during network outages and reconnects in an orderly fashion after power restoration.Device Lifecycle Management
Examine system telemetry data
EN 303 645 § 5.10-1
TS 103 701 § 5.10
TR 103 621 § 6.54
If telemetry data is collected, it should be examined for security anomalies.Security Logging & Monitoring
Make it easy for users to delete user data
EN 303 645 § 5.11-1
TS 103 701 § 5.11
TR 103 621 § 6.55
Provide a simple mechanism for users to erase all their personal data from the device and any associated services.Data Privacy & Secure Deletion
Make installation and maintenance easy
EN 303 645 § 5.12-1
TS 103 701 § 5.12
TR 103 621 § 6.59
Provide a simple, secure-by-default setup process and clear guidance for secure configuration.User Documentation
Secure Configuration & Hardening
Validate input data
EN 303 645 § 5.13-1A
TS 103 701 § 5.13
TR 103 621 § 6.62
Validate data received from user interfaces and network interfaces to prevent system manipulation or failure.CI/CD Hardening

3.2 Data Protection Provisions (Section 6)

ObligationEngineering TasksImplementation Guides
Transparency of personal data processing
EN 303 645 § 6-1
TS 103 701 § 5.14.1
TR 103 621 § 7.1
Provide clear information about what personal data is processed, for what purpose, by whom, and for how long.Data Privacy & Secure Deletion
Valid consent for data processing
EN 303 645 § 6-2
TS 103 701 § 5.14.2
TR 103 621 § 7.2
Provide a means to acquire, store, and withdraw user consent for personal data processing.Data Privacy & Secure Deletion
Data minimization
EN 303 645 § 6-4
TS 103 701 § 5.14.4
TR 103 621 § 7.4
Limit data collection and processing to only what is necessary for the stated purpose. Use aggregation and anonymization techniques where possible.Data Privacy & Secure Deletion

4. Assessment & Conformance

Compliance with EN 303 645 is voluntary. However, it serves as the primary technical specification for several mandatory regulatory schemes. Conformance provides a presumption of conformity with those regulations, simplifying the path to market access.

The standard itself defines the security outcomes, while a separate specification, ETSI TS 103 701, provides the corresponding test cases for third-party assessment. A manufacturer can submit their product to a testing laboratory, which will perform the tests defined in TS 103 701 to verify that each provision in EN 303 645 has been implemented correctly.

This assessment can be used to demonstrate compliance with regulations such as:

  • EU Radio Equipment Directive (RED): EN 303 645 is expected to be the harmonised standard used to show compliance with the RED's cybersecurity articles.
  • UK Product Security and Telecommunications Infrastructure (PSTI) regime: The UK's regulation is directly based on EN 303 645.
  • Other international schemes: Similar regulations in Singapore, Finland, and Australia are also based on this standard.